diff options
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | LICENSE | 201 | ||||
| -rw-r--r-- | NOTICE | 27 | ||||
| -rw-r--r-- | README.rdoc | 41 | ||||
| -rw-r--r-- | Rakefile | 72 | ||||
| -rw-r--r-- | lib/mixlib/authentication.rb | 12 | ||||
| -rw-r--r-- | lib/mixlib/authentication/digester.rb | 38 | ||||
| -rw-r--r-- | lib/mixlib/authentication/signatureverification.rb | 101 | ||||
| -rw-r--r-- | lib/mixlib/authentication/signedheaderauth.rb | 87 |
9 files changed, 580 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..01d0a08 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +pkg/ @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. @@ -0,0 +1,27 @@ +Mixin::Config NOTICE +================= + +Developed at Opscode (http://www.opscode.com). + + * Copyright 2009, Opscode, Inc. <legal@opscode.com> + +Mixin::Config incorporates code from Chef. The Chef notice file follows: + +Chef NOTICE +=========== + +Developed at Opscode (http://www.opscode.com). + +Contributors and Copyright holders: + + * Copyright 2008, Adam Jacob <adam@opscode.com> + * Copyright 2008, Arjuna Christensen <aj@hjksolutions.com> + * Copyright 2008, Bryan McLellan <btm@loftninjas.org> + * Copyright 2008, Ezra Zygmuntowicz <ezra@engineyard.com> + * Copyright 2009, Sean Cribbs <seancribbs@gmail.com> + * Copyright 2009, Christopher Brown <cb@opscode.com> + * Copyright 2009, Thom May <thom@clearairturbulence.org> + +Chef incorporates code modified from Open4 (http://www.codeforpeople.com/lib/ruby/open4/), which was written by Ara T. Howard. + +Chef incorporates code modified from Merb (http://www.merbivore.com), which is Copyright (c) 2008 Engine Yard. diff --git a/README.rdoc b/README.rdoc new file mode 100644 index 0000000..c56ffbf --- /dev/null +++ b/README.rdoc @@ -0,0 +1,41 @@ +== Mixlib::Auth + +Mixlib::Auth provides a class-based header signing authentication object, like the one used in Chef. To use in your project: + + require 'rubygems' + require 'mixlib/config' + + class MyConfig + extend(Mixlib::Config) + configure do |c| + c[:first_value] = 'something' + c[:other_value] = 'something_else' + end + end + +Or... + + class MyConfig + extend(Mixlib::Config) + + first_value 'something' + other_value 'something_else' + end + +To check a configuration variable: + + MyConfig.first_value # returns 'something' + MyConfig[:first_value] # returns 'something' + +To change a configuration variable at runtime: + + MyConfig.first_value('foobar') # sets first_value to 'foobar' + MyConfig[:first_value] = 'foobar' # sets first_value to 'foobar' + +You should populate your class with the default values for every configuration variable that might be accessed. If you try and access a variable that does not exist, Mixlib::Config will throw an <ArgumentError>. + +To load a ruby configuration file (which will evaluate in the context of your configuration class): + + MyConfig.from_file('your_config_file.rb') + +Enjoy! diff --git a/Rakefile b/Rakefile new file mode 100644 index 0000000..2bf557f --- /dev/null +++ b/Rakefile @@ -0,0 +1,72 @@ +require 'rubygems' +require 'rake/gempackagetask' +require 'rubygems/specification' +require 'date' +require 'spec/rake/spectask' +require 'cucumber/rake/task' + + +GEM = "mixlib-authentication" +GEM_VERSION = "1.0.0" +AUTHOR = "Opscode, Inc." +EMAIL = "info@opscode.com" +HOMEPAGE = "http://www.opscode.com" +SUMMARY = "Mixes in simple per-request authentication" + +spec = Gem::Specification.new do |s| + s.name = GEM + s.version = GEM_VERSION + s.platform = Gem::Platform::RUBY + s.has_rdoc = true + s.extra_rdoc_files = ["README.rdoc", "LICENSE", 'NOTICE'] + s.summary = SUMMARY + s.description = s.summary + s.author = AUTHOR + s.email = EMAIL + s.homepage = HOMEPAGE + + # Uncomment this to add a dependency + # s.add_dependency "foo" + + s.require_path = 'lib' + s.autorequire = GEM + s.files = %w(LICENSE README.rdoc Rakefile NOTICE) + Dir.glob("{lib,spec,features}/**/*") +end + +task :default => :test + +desc "Run specs" +Spec::Rake::SpecTask.new do |t| + t.spec_files = FileList['spec/**/*_spec.rb'] + t.spec_opts = %w(-fs --color) +end + +Rake::GemPackageTask.new(spec) do |pkg| + pkg.gem_spec = spec +end + +desc "install the gem locally" +task :install => [:package] do + sh %{sudo gem install pkg/#{GEM}-#{GEM_VERSION}} +end + +desc "create a gemspec file" +task :make_spec do + File.open("#{GEM}.gemspec", "w") do |file| + file.puts spec.to_ruby + end +end + +Cucumber::Rake::Task.new(:features) do |t| + t.step_pattern = 'features/steps/**/*.rb' + supportdir = 'features/support' + t.cucumber_opts = "--format pretty -r #{supportdir}" +end + +desc "remove build files" +task :clean do + sh %Q{ rm -f pkg/*.gem } +end + +desc "Run the spec and features" +task :test => [ :features, :spec ] diff --git a/lib/mixlib/authentication.rb b/lib/mixlib/authentication.rb new file mode 100644 index 0000000..320ee49 --- /dev/null +++ b/lib/mixlib/authentication.rb @@ -0,0 +1,12 @@ +require 'couchrest' +require 'mixlib/log' + +module Mixlib + module Authentication + class Log + extend Mixlib::Log + end + end +end + + diff --git a/lib/mixlib/authentication/digester.rb b/lib/mixlib/authentication/digester.rb new file mode 100644 index 0000000..185532f --- /dev/null +++ b/lib/mixlib/authentication/digester.rb @@ -0,0 +1,38 @@ +require 'mixlib/authentication' + +module Mixlib + module Authentication + class Digester + attr_reader :hashed_body + + def initialize() + @hashed_body = nil + end + + # Compare the request timestamp with boundary time + # + # + # ====Parameters + # time1<Time>:: minuend + # time2<Time>:: subtrahend + # + def hash_file(f) + digester = Digest::SHA1.new + buf = "" + while f.read(16384, buf) + digester.update buf + end + @hashed_body ||= ::Base64.encode64(digester.digest).chomp + end + + # Digests the body, base64's and chomps the end + # + # + # ====Parameters + # + def hash_body(body) + @hashed_body ||= ::Base64.encode64(Digest::SHA1.digest(body)).chomp + end + end + end +end diff --git a/lib/mixlib/authentication/signatureverification.rb b/lib/mixlib/authentication/signatureverification.rb new file mode 100644 index 0000000..60a1517 --- /dev/null +++ b/lib/mixlib/authentication/signatureverification.rb @@ -0,0 +1,101 @@ +require 'ostruct' +require 'net/http' + +require 'mixlib/authentication/signedheaderauth' +require 'mixlib/authentication/digester' + +module Mixlib + module Authentication + class SignatureVerification + + include Mixlib::Authentication::SignedHeaderAuth + + attr_reader :hashed_body, :timestamp, :http_method, :user_id + + # Takes the request, boils down the pieces we are interested in, + # looks up the user, generates a signature, and compares to + # the signature in the request + # ====Headers + # + # X-Ops-Sign: algorithm=sha256;version=1.0; + # X-Ops-UserId: <user_id> + # X-Ops-Timestamp: + # X-Ops-Content-Hash: + def authenticate_user_request(request, user_lookup, time_skew=(15*60)) + Mixlib::Authentication::Log.debug "Initializing header auth : #{request.inspect}" + + headers ||= request.env.inject({ }) { |memo, kv| memo[$2.downcase.to_sym] = kv[1] if kv[0] =~ /^(HTTP_)(.*)/; memo } + digester = Mixlib::Authentication::Digester.new + + begin + @allowed_time_skew = time_skew # in seconds + @http_method = request.method.to_s + @signing_description = headers[:x_ops_sign].chomp + @user_id = headers[:x_ops_userid].chomp + @timestamp = headers[:x_ops_timestamp].chomp + @request_signature = headers[:authorization].chomp.gsub!(/\n\t/,"\n") + @host = headers[:host].chomp + @content_hash = headers[:x_ops_content_hash].chomp + @user_secret = user_lookup + + + file_param = request.params["file"] + + @hashed_body = if file_param + Mixlib::Authentication::Log.debug "Digesting file_param: '#{file_param.inspect}'" + if file_param.respond_to?(:has_key?) + tempfile = file_param[:tempfile] + digester.hash_file(tempfile) + else + digester.hash_body(file_param) + end + else + body = request.raw_post + Mixlib::Authentication::Log.debug "Digesting body: '#{body}'" + digester.hash_body(body) + end + + Mixlib::Authentication::Log.debug "Authenticating user : #{user_id}, User secret is: #{@user_secret}, Request signature is :\n#{@request_signature}, Hashed Body is #{@hashed_body}" + + #BUGBUG Not doing anything with the signing description yet [cb] + parse_signing_description + candidate_block = canonicalize_request + request_decrypted_block = @user_secret.public_decrypt(Base64.decode64(@request_signature)) + signatures_match = (request_decrypted_block == candidate_block) + timeskew_is_acceptable = timestamp_within_bounds?(Time.parse(timestamp), Time.now) + hashes_match = @content_hash == hashed_body + rescue StandardError=>se + raise StandardError,"Failed to authenticate user request. Most likely missing a necessary header: #{se.message}" + end + + Mixlib::Authentication::Log.debug "Candidate Block is: '#{candidate_block}'\nRequest decrypted block is: '#{request_decrypted_block}'\nCandidate content hash is: #{hashed_body}\nRequest Content Hash is: '#{@content_hash}'\nSignatures match: #{signatures_match}, Allowed Time Skew: #{timeskew_is_acceptable}, Hashes match?: #{hashes_match}\n" + + if signatures_match and timeskew_is_acceptable and hashes_match + OpenStruct.new(:name=>user_id) + else + nil + end + end + + private + + # Compare the request timestamp with boundary time + # + # + # ====Parameters + # time1<Time>:: minuend + # time2<Time>:: subtrahend + # + def timestamp_within_bounds?(time1, time2) + time_diff = (time2-time1).abs + is_allowed = (time_diff < @allowed_time_skew) + Mixlib::Authentication::Log.debug "Request time difference: #{time_diff}, within #{@allowed_time_skew} seconds? : #{!!is_allowed}" + is_allowed + end + end + + + end +end + + diff --git a/lib/mixlib/authentication/signedheaderauth.rb b/lib/mixlib/authentication/signedheaderauth.rb new file mode 100644 index 0000000..21ff2ed --- /dev/null +++ b/lib/mixlib/authentication/signedheaderauth.rb @@ -0,0 +1,87 @@ +require 'time' +require 'base64' +require 'ostruct' +require 'digest/sha2' +require 'hmac' +require 'hmac-sha2' +require 'mixlib/authentication' +require 'mixlib/authentication/digester' + +module Mixlib + module Authentication + module SignedHeaderAuth + + SIGNING_DESCRIPTION = 'version=1.0' + + # This is a module meant to be mixed in but can be used standalone + # with the simple OpenStruct extended with the auth functions + class << self + def signing_object(args={ }) + OpenStruct.new(args).extend SignedHeaderAuth + end + end + + # Build the canonicalized request based on the method, other headers, etc. + # compute the signature from the request, using the looked-up user secret + # ====Parameters + # private_key<String>:: user's RSA private key. + def sign(private_key) + digester = Mixlib::Authentication::Digester.new + @hashed_body = if self.file + digester.hash_file(self.file) + else + digester.hash_body(self.body) + end + + signature = Base64.encode64(private_key.private_encrypt(canonicalize_request)).chomp.gsub!(/\n/,"\n\t") + header_hash = { + :x_ops_sign=>SIGNING_DESCRIPTION, + :x_ops_userid=>user_id, + :x_ops_timestamp=> canonical_time, + :x_ops_content_hash=>@hashed_body, + :authorization=>signature, + } + Mixlib::Authentication::Log.debug "Header hash: #{header_hash.inspect}" + + header_hash + end + + # Build the canonicalized time based on utc & iso8601 + # + # ====Parameters + # + def canonical_time + Time.parse(timestamp).utc.iso8601 + end + + # Takes HTTP request method & headers and creates a canonical form + # to create the signature + # + # ====Parameters + # + # + def canonicalize_request + Mixlib::Authentication::Log.debug "canonicalize_request:" + canon_request = "Method:#{http_method.to_s.upcase}\nX-Ops-Content-Hash:#{@hashed_body}\nX-Ops-Timestamp:#{canonical_time}\nX-Ops-UserId:#{user_id}" + Mixlib::Authentication::Log.debug "canonicalize_request: #{canon_request}" + canon_request + end + + # Parses signature version information, algorithm used, etc. + # + # ====Parameters + # + def parse_signing_description + parts = @signing_description.strip.split(";").inject({ }) do |memo, part| + field_name, field_value = part.split("=") + memo[field_name.to_sym] = field_value.strip + memo + end + Mixlib::Authentication::Log.debug "Parsed signing description: #{parts.inspect}" + end + + private :canonical_time, :canonicalize_request, :parse_signing_description + + end + end +end |